· Luke Faragher · Call Recording  · 6 min read

Is it legal to record a phone call in the UK?

A practical UK guide to call recording law. What private individuals can do, what businesses have to do, and the extra rules for FCA-regulated firms and businesses taking card payments.

A practical UK guide to call recording law. What private individuals can do, what businesses have to do, and the extra rules for FCA-regulated firms and businesses taking card payments.

If you’ve ever wondered whether it’s legal to record a phone call in the UK, you’ll find a lot of confidently-worded answers online, many of which are wrong, oversimplified, or applicable to the wrong category of caller. This guide cuts through it.

Not legal advice. This is general information based on publicly-available UK law. For specific situations, especially in a business or regulated context, speak to a solicitor or your compliance team.

The short answer

  • As a private individual recording your own call for personal use: legal, no need to inform the other person.
  • As a business recording customer calls: legal, but you need a lawful basis under UK GDPR and you must inform the other party (the standard “this call may be recorded” message does the job).
  • As an FCA-regulated firm: not just legal, you’re required to record certain calls, including those made on mobile.
  • If you take card payments by phone: PCI DSS rules apply, never let card data end up in your recordings.

The rest of this guide walks through each scenario in more detail.


What the law actually says

Two pieces of UK legislation set the baseline:

Regulation of Investigatory Powers Act 2000 (RIPA)

RIPA was written to stop unauthorised interception of telephone calls. It makes it a criminal offence for telecoms operators (and others) to intercept calls in transit without proper authorisation. But, crucially, RIPA explicitly permits parties to a conversation to record their own calls. If you are on the call, you can record it.

Data Protection Act 2018 + UK GDPR

The DPA and UK GDPR don’t ban recording. They govern what happens to the recording afterwards, particularly when the recording contains personal data (which any voice recording of a human speaking does). The key principles for businesses:

  • Lawful basis, you must have one of the six lawful bases under UK GDPR (typically “legitimate interests” for training/quality, “contractual necessity” for order-taking, or “consent” for marketing).
  • Transparency, you must tell the other party the call may be recorded, and why.
  • Data minimisation, only record what you need.
  • Retention, no longer than necessary for the purpose.
  • Security, recordings must be stored securely with access controls.
  • Subject rights, the caller has rights to access their recording, ask for it to be deleted (in some circumstances), and complain to the ICO.

Scenario 1, A private individual recording their own call

This is legal in the UK without telling the other party, provided the recording is for your own personal use and not shared, published or used commercially.

Common reasons people do this:

  • Keeping a record of a conversation with a tradesperson, contractor, or service provider
  • Disputed billing or customer-service calls
  • Verbal contracts or commitments
  • Personal safety in stressful conversations

Where it gets risky: the moment you share the recording with someone else (or post it online), you’ve moved beyond “personal use” and into the territory where the other party’s data protection rights kick in. Sharing without consent can attract liability, under defamation, harassment, or data protection law depending on context.

If you’re going to share or use it more broadly, tell the other party at the start of the call. They may stop talking, but you stay clearly within the law.


Scenario 2, A UK business recording customer calls

The most common business scenarios, training, quality assurance, dispute resolution, order verification, are well-established and lawful, provided you do three things:

  1. Tell the caller. A short recorded message at the start of the call (or written notice in the IVR script, or a pre-call notice on the website if calls are scheduled) is enough.
  2. Have a lawful basis. “Legitimate interests” usually covers training, quality, dispute resolution and security. “Contractual necessity” covers orders. “Consent” is needed for marketing-related recordings.
  3. Handle the recording responsibly. Securely stored, access-controlled, retained only as long as needed, destroyed when the purpose ends.

The ICO publishes specific guidance for businesses on call recording, and it’s worth reading if you’re setting up recording from scratch.

One nuance worth flagging: if you use call recording to capture customer card data (PCI DSS-relevant), additional rules apply. See PCI DSS call recording for the specific architecture.


Scenario 3, FCA-regulated firms

If your firm carries out a “specified investment activity” under the FCA’s Senior Management Arrangements, Systems and Controls (SYSC) sourcebook section 10A.1, you must record the relevant calls. There’s no mobile carve-out, if the call relates to a regulated activity, the obligation applies whether it was on a landline, mobile, or VoIP.

Key obligations:

  • Recording itself, every in-scope call must be captured
  • Retention, at least 5 years (or 7+ years for MiFID II investment communications)
  • Durable medium, recordings stored in a tamper-evident format, reproducible on request
  • Access controls, only authorised staff can retrieve recordings, every retrieval logged
  • Periodic review, the firm must monitor recording quality and completeness

This is where app-based mobile recording typically fails, apps require the user to enable recording on each call, app permissions can lapse after OS updates, and recordings sit on the device until uploaded. Several FCA enforcement actions in 2022-2024 cited failures around recording communications conducted on personal mobile devices.

Network-level recording, where the recording happens on the mobile network itself, not on the device, addresses these failure modes by making the recording automatic and independent of user behaviour.


Other sectors have their own recording rules layered on top of UK GDPR:

  • Healthcare, clinical conversations may need recording for patient safety reasons (e.g. NHS 111). Strict access controls and clinical retention rules apply.
  • Legal, solicitors recording client calls have professional confidentiality obligations layered on data protection.
  • Education, recording of safeguarding-relevant calls may be required; recording students requires careful consent management.

In each case, the underlying UK GDPR principles still apply, lawful basis, transparency, security, retention, but the sector-specific rules typically add to (not replace) the baseline.


How ONSIM does mobile call recording

If you’ve read this far because you’re trying to set up mobile call recording for your business, here’s the short version of what ONSIM offers:

  • Network-level recording, every call on every ONSIM SIM is captured automatically. Nothing for the user to enable.
  • Works on supported handsets, iPhone, Samsung, Pixel. See the full supported devices list. No app to install on the device.
  • SMS recording included, both directions
  • Configurable retention, 6 months to 7+ years
  • Compliance-grade for FCA / MiFID II, see our FCA call recording compliance page
  • PCI-aware setup available, see PCI DSS call recording for the architectures
  • Teams-complementary, closes the mobile gap that Teams compliance recording leaves open. See Teams call recording compliance.

For a tailored deployment, request a quote or call +44 333 880 4008.


Where to get authoritative answers

  • For data protection questions: the Information Commissioner’s Office (ICO) has detailed guidance for organisations.
  • For FCA-regulated firms: the FCA Handbook, specifically SYSC 10A and Conduct of Business Sourcebook (COBS) 11.8.
  • For card payment compliance: the PCI Security Standards Council publishes the DSS rules.
  • For your specific situation: a solicitor or compliance professional. This page is general information, not legal advice.
Back to Blog

Related Posts

View All Posts »
How to record business mobile calls (UK guide)

How to record business mobile calls (UK guide)

Two ways to record business calls on a mobile in the UK, an app on the device or at the network level via a mobile operator, with the honest trade-offs of each and what to look for when comparing providers.

ONSIM Launch AI Insights

ONSIM Launch AI Insights

AI Insights turns calls and SMS into searchable data with transcripts and natural language search, available as an optional add-on.